RubyGems - stack_master - Versions diffs - 1.14.0 → 1.15.0 - Mend

stack_master 1.14.0 → 1.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml +4 -4
data/README.md +40 -1
data/lib/stack_master.rb +1 -0
data/lib/stack_master/parameter_resolvers/ejson.rb +48 -0
data/lib/stack_master/stack_definition.rb +7 -0
data/lib/stack_master/stack_differ.rb +1 -1
data/lib/stack_master/version.rb +1 -1
metadata +18 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c6272dd327e82ec747c26129191c4c8e262a4350d6634941f14035746399cb77
-  data.tar.gz: 6dc8058810bee48a3aed457669ffdda94e9d88fdc2ab1e1c12b9a689a3799c46
+  metadata.gz: 1acbc281b89ec3188892fac6692c4e885780efd8ba83f746a774557c0e1194ca
+  data.tar.gz: e18cb99eb7f3e99ac0b8fee4b952cb1d21b9f1467a4bbe8dac9250695649f543
 SHA512:
-  metadata.gz: 6dad4bcffbc40f9a45377625ef7769f122b5880bbcc61bead8a9ffdd75ee063001f322f9e62079aa00b370f791afd2f76c7acb9b668f6d4f7f41128c63954b65
-  data.tar.gz: a12c14c9024e187a5b734020cda2adc1c40d7983f58450022ea5f2301412968a167f4ebd6233f02097b8341541dc5ae50b213b6b59730f540594df90b327fd5f
+  metadata.gz: bcc6882c647189f6f758896da7cd8084638b707af26faeb234435b99a1e5cd466c0ca90e2f30a67b4414f21f38d899414d7935e49d2a7355ccd84ad700c87ba9
+  data.tar.gz: b48a690acadd00aa426084cc3b3b7aeb100b6fbfeaad738cb645df77ca6bd3edce347acf71d2b28ec3ff80833f15e4c55f95f5719922f0d061b2102c0ae1760c

data/README.md CHANGED Viewed

@@ -175,7 +175,7 @@ key_name: myapp-us-east-1
 ### Compile Time Parameters
-Compile time parameters can be used for [SparkleFormation](http://www.sparkleformation.io) templates. It conforms and
+Compile time parameters can be used for [SparkleFormation](http://www.sparkleformation.io) templates. It conforms and
 allows you to use the [Compile Time Parameters](http://www.sparkleformation.io/docs/sparkle_formation/compile-time-parameters.html) feature.
 A simple example looks like this
@@ -268,6 +268,7 @@ you will likely want to set the parameter to NoEcho in your template.
 db_password:
   parameter_store: ssm_parameter_name
 ```
 ### 1Password Lookup
 An Alternative to the alternative secret store is accessing 1password secrets using the 1password cli (`op`).
 You declare a 1password lookup with the following parameters in your parameters file:
@@ -286,6 +287,44 @@ Currently we support two types of secrets, `password`s and `secureNote`s. All va
 For more information on 1password cli please see [here](https://support.1password.com/command-line-getting-started/)
+### EJSON Store
+[ejson](https://github.com/Shopify/ejson) is a tool to manage asymmetrically encrypted values in JSON format.
+This allows you to keep secrets securely in git/Github and gives anyone the ability the capability to add new
+secrets without requiring access to the private key. [ejson_wrapper](https://github.com/envato/ejson_wrapper)
+encrypts the underlying EJSON private key with KMS and stores it in the ejson file as `_private_key_enc`. Each
+time an ejson secret is required, the underlying EJSON private key is first decrypted before passing it onto
+ejson to decrypt the file.
+First, generate an ejson file with ejson_wrapper, specifying the KMS key ID to be used:
+```shell
+gem install ejson_wrapper
+ejson_wrapper generate --region us-east-1 --kms-key-id [key_id] --file secrets/production.ejson
+```
+Then, add the `ejson_file` argument to your stack in stack_master.yml:
+```yaml
+stacks:
+  us-east-1:
+    my_app:
+      template: my_app.json
+      ejson_file: production.ejson
+```
+finally refer to the secret key in the parameter file, i.e. parameters/my_app.yml:
+```yaml
+my_param:
+  ejson: "my_secret"
+```
+Additional configuration options:
+- `ejson_file_region` The AWS region to attempt to decrypt private key with
+- `ejson_file_kms` Default: true. Set to false to use ejson without KMS.
 ### Security Group
 Looks up a security group by name and returns the ARN.

data/lib/stack_master.rb CHANGED Viewed

@@ -68,6 +68,7 @@ module StackMaster
     autoload :AcmCertificate, 'stack_master/parameter_resolvers/acm_certificate'
     autoload :AmiFinder, 'stack_master/parameter_resolvers/ami_finder'
     autoload :StackOutput, 'stack_master/parameter_resolvers/stack_output'
+    autoload :Ejson, 'stack_master/parameter_resolvers/ejson'
     autoload :Secret, 'stack_master/parameter_resolvers/secret'
     autoload :SnsTopicName, 'stack_master/parameter_resolvers/sns_topic_name'
     autoload :SecurityGroup, 'stack_master/parameter_resolvers/security_group'

data/lib/stack_master/parameter_resolvers/ejson.rb ADDED Viewed

@@ -0,0 +1,48 @@
+require 'ejson_wrapper'
+module StackMaster
+  module ParameterResolvers
+    class Ejson < Resolver
+      SecretNotFound = Class.new(StandardError)
+      def initialize(config, stack_definition)
+        @config = config
+        @stack_definition = stack_definition
+      end
+      def resolve(secret_key)
+        validate_ejson_file_specified
+        secrets = decrypt_ejson_file
+        secrets.fetch(secret_key.to_sym) do
+          raise SecretNotFound, "Unable to find key #{secret_key} in file #{ejson_file}"
+        end
+      end
+      private
+      def validate_ejson_file_specified
+        if @stack_definition.ejson_file.nil?
+          raise ArgumentError, "No ejson_file defined for stack definition #{@stack_definition.stack_name} in #{@stack_definition.region}"
+        end
+      end
+      def decrypt_ejson_file
+        @decrypt_ejson_file ||= EJSONWrapper.decrypt(ejson_file_path,
+                                                     use_kms: @stack_definition.ejson_file_kms,
+                                                     region: ejson_file_region)
+      end
+      def ejson_file_region
+        @stack_definition.ejson_file_region || StackMaster.cloud_formation_driver.region
+      end
+      def ejson_file_path
+        @ejson_file_path ||= File.join(@config.base_dir, secret_path_relative_to_base)
+      end
+      def secret_path_relative_to_base
+        @secret_path_relative_to_base ||= File.join('secrets', @stack_definition.ejson_file)
+      end
+    end
+  end
+end

data/lib/stack_master/stack_definition.rb CHANGED Viewed

@@ -10,6 +10,9 @@ module StackMaster
                   :base_dir,
                   :template_dir,
                   :secret_file,
+                  :ejson_file,
+                  :ejson_file_region,
+                  :ejson_file_kms,
                   :stack_policy_file,
                   :additional_parameter_lookup_dirs,
                   :s3,
@@ -25,6 +28,7 @@ module StackMaster
       @s3 = {}
       @files = []
       @allowed_accounts = nil
+      @ejson_file_kms = true
       super
       @template_dir ||= File.join(@base_dir, 'templates')
       @allowed_accounts = Array(@allowed_accounts)
@@ -41,6 +45,9 @@ module StackMaster
         @notification_arns == other.notification_arns &&
         @base_dir == other.base_dir &&
         @secret_file == other.secret_file &&
+        @ejson_file == other.ejson_file &&
+        @ejson_file_region == other.ejson_file_region &&
+        @ejson_file_kms == other.ejson_file_kms &&
         @stack_policy_file == other.stack_policy_file &&
         @additional_parameter_lookup_dirs == other.additional_parameter_lookup_dirs &&
         @s3 == other.s3 &&

data/lib/stack_master/stack_differ.rb CHANGED Viewed

@@ -75,7 +75,7 @@ module StackMaster
     def single_param_update?(param_name)
       return false if param_name.blank? || @current_stack.blank? || body_different?
-      differences = HashDiff.diff(@current_stack.parameters_with_defaults, @proposed_stack.parameters_with_defaults)
+      differences = Hashdiff.diff(@current_stack.parameters_with_defaults, @proposed_stack.parameters_with_defaults)
       return false if differences.count != 1
       diff = differences[0]
       diff[0] == "~" && diff[1] == param_name

data/lib/stack_master/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module StackMaster
-  VERSION = "1.14.0"
+  VERSION = "1.15.0"
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: stack_master
 version: !ruby/object:Gem::Version
-  version: 1.14.0
+  version: 1.15.0
 platform: ruby
 authors:
 - Steve Hodgkiss
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-07-03 00:00:00.000000000 Z
+date: 2019-08-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -377,6 +377,20 @@ dependencies:
         version: '0'
 - !ruby/object:Gem::Dependency
   name: hashdiff
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+- !ruby/object:Gem::Dependency
+  name: ejson_wrapper
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -441,6 +455,7 @@ files:
 - lib/stack_master/parameter_resolver.rb
 - lib/stack_master/parameter_resolvers/acm_certificate.rb
 - lib/stack_master/parameter_resolvers/ami_finder.rb
+- lib/stack_master/parameter_resolvers/ejson.rb
 - lib/stack_master/parameter_resolvers/env.rb
 - lib/stack_master/parameter_resolvers/latest_ami.rb
 - lib/stack_master/parameter_resolvers/latest_ami_by_tags.rb
@@ -514,8 +529,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.7.6
+rubygems_version: 3.0.3
 signing_key:
 specification_version: 4
 summary: StackMaster is a sure-footed way of creating, updating and keeping track